Blog

It must be one of the biggest hacks the world has ever seen. This week, Yahoo announced they've lost the details of up to 1 billion customers. While the size of the hack is no doubt daunting, the thing that surprised was that Yahoo had a billion users in the first place. They've been playing catch-up to the likes of Google for years now.

However, that's not much comfort if you have a Yahoo account. And this isn't just a problem if you have an email address ending with yahoo.com or yahoo.co.uk. Lots of Internet Service Providers, such as Sky and BT, have outsourced their email service to Yahoo too.

The hackers stole names, addresses, phone numbers and MD5 hashed passwords, which security researchers claimed could be used in social engineering attacks to compromise the identity of users. The latest revelations come after an admission from Yahoo in September that hackers had managed to steal the details of 500 million users. Yahoo staff had known about the attack for a couple of years before they made it public.

It certainly looks like Yahoo's security systems are not up to scratch. The problem is that Yahoo had used a system called MD5 to encrypt passwords. MD5 is well known to be insecure and out-dated and is advised against by most security researchers. 'The MD5 hashing algorithm has been considered not just insecure, but broken, for two decades.’ says Ty Miller, Director of Sydney-based security firm Threat Intelligence.

Attacks against MD5 to steal passwords have existed since 2005 so Yahoo have no excuse for using it for so long. The internet is littered with free and paid services that can reveal logins within seconds. Now Yahoo have switched to the more secure bcrypt system but the damage has been done.

But really the security problem may go to the heart of Yahoo's business. Companies offering free services online depend on having lots of users. The move from MD5 to bcrypt requires users to reset their passwords. Yahoo could well have feared that asking users to reset their password may have meant that they left Yahoo altogether..
.